While the IC’s research organization looks into adding security to cloud environments, in the here and now, intelligence agencies are sharing more data.
What if an agency moved to the cloud and no one noticed? That’s one of the implications of a recent Deloitte survey that found that most federal cloud migrations have not been successful and that employees are not appreciating the benefits of the shift.
What can agencies do to turn that around? Agencies, the survey states, need to take a “cloud native” approach, rather than “devoting an already constrained IT budget to maintaining legacy hardware and infrastructures.” Additionally, after cloud migrations take place, IT leaders should do a better job of explaining and educating employees on how cloud services can be used and the benefits it can deliver.
For more than six years, the federal government has been pursuing a formal “Cloud First” policy that requires agencies to default to using a cloud-based technology if they can find a secure, reliable and cost-effective solution.
The Deloitte report is based on a November 2016 survey of 328 senior employees in more than 30 agencies across the government. It also covered not just IT and technical professionals, but those in administrative functions, human resource, procurement, healthcare, finance, law enforcement/public safety and more. The survey revealed a deep ambivalence about the cloud.
According to the report, one-third of respondents indicated that support for cloud technology at their agency has increased since the Cloud First policy was introduced. However, 26 percent say the level of support has not changed since 2011 and another 31 percent report that cloud technology “has had no noticeable impact on their agency’s mission.” And while more respondents say cloud has had a positive impact (24 percent) than a negative impact (6 percent), “a plurality either remain unconvinced of the efficiencies cloud can deliver or unaware of the potential benefits it offers.”
Many of the respondents said they faced challenges in moving applications to the cloud. Fully 41 percent of respondents described their migration efforts as mixed (17 percent), problematic (12 percent), or non-existent (12 percent). In fact, just 9 percent described the transition to the cloud as having been successful, with the remaining 50 percent saying they did not know.
The most common pain points respondents cited for these difficulties in cloud migrations are security concerns, lack of skills and IT expertise, and budgetary constraints. The difficulty of integrating or rewriting legacy apps to fit cloud environments is another common issue, since those in charge of such efforts struggle to incorporate apps that were not originally developed with cloud in mind, according to the report.
Further, respondents were asked to identify both the main factors driving cloud adoption at their agencies and the major obstacles facing these adoption efforts. Among potential drivers, compliance with federal mandates (25 percent) — such as the Federal Information Security Modernization Act and the General Services Administration’s Federal Risk and Authorization Management Program — was top-ranked among respondents. Greater access to expanded data sharing capabilities (23 percent) and cost savings (19 percent) were other key drivers.
In terms of challenges to successful cloud migrations, data security concerns are prominent, according to a third of respondents, followed by limited funding, lack of in-house technical expertise, cultural resistance and meeting federal security requirements (such as FedRAMP).
Given these challenges and results, what can agency IT leaders do to make cloud transitions more successful?
One key step is to embrace cloud-native architectures and applications, which are more scalable and easier to deploy and navigate than legacy apps that were migrated to the cloud.
While still in alpha stage, 18F’s cloud.gov portal encourages agencies to take advantage of the benefits that cloud-native architectures can offer, Deloitte notes. These include “the ability to quickly deploy applications that comply with federal policies — without needing to manage infrastructure,” as well as “the ability to scale applications on top of existing cloud services.” Agencies will also get more “freedom to experiment, build, and test prototypes without adding” more costs, and can shorten “the path to ATO (Authority to Operate) for each new or updated application, because after your agency gives cloud.gov ATO, only your application needs to be evaluated for security and compliance.”
However, 35 percent of respondents feel their current applications were never developed for the cloud, and just one in five respondents say their organization is either extensively leveraging cloud-native applications or at least piloting early applications developed for the cloud.
When asked how apps can be developed to have maximum effectiveness in the cloud, respondents placed a high premium on having ease of operation, stability, and performance in those apps. The combination of these factors, and the 17-18 point preference gap they hold over the next listed attribute, agility, “suggest that security, speed, and sensible, user-friendly navigation are at the top of respondents’ wish lists when it comes to operating cloud-enabled applications,” according to Deloitte.
Agencies must find cloud solutions that safeguard information without sacrificing mobility, according to the report. However, IT leaders “should avoid ‘cloud sprawl,’ the result of going all-in on cloud without first having a clear strategy in mind for how to manage multiple cloud environments and the organizational changes demanded by this transition.”
Deloitte suggests that “the current ‘lift-and-shift’ of applications into the cloud may be expedient, but is unsustainable in the long term as cracks in the veneer begin to show: periodic slowdowns, performance disruptions, and buggy navigation — common results of a development process that never originally had the cloud in mind.”
Instead, agencies should embrace the cloud-native approach, and “seek expert guidance and tools from industry leaders in the cloud-native space, allowing for more automated maintenance, secure iterations, and development of applications that truly realize the full capabilities of the cloud. Such applications will not only be more secure, but agile, scalable, and navigationally intuitive for the end users who need them most.”
Doug Bourgeois, a managing director for the technology strategy and architecture practice at Deloitte, told FedScoop that federal leaders could improve their change management approach to cloud — how the agency and its employees deal with the migration to the cloud.
“Because on the one hand, they’re doing a lot on the front end to show support and to talk about the value of cloud,” he says. “But then after the migrations they’re not really coming back and sharing with their own agencies that, you know, cloud provided these values and these benefits, and things like that.”